SSD Secure Erase with proper ATA command

I recently wanted to completely wipe (not format) my two Intel X25-M Solid State (SSD) Drives that replaced the ones found in my MacBook Pro (2007) and my Dell Mini 10v (2009) so I went back to a favourite website -that I had saved- to seek instructions using Ubuntu’s Live CD:

http://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

However, to my surprise, the site doesn’t carry that information anymore (I barely caught the Google-chached page) so I started digging up the web again for a possible fresh set of instructions and compare them to my notes. Nevertheless, after successfully wiping these two Intel SSD drives using the “secure erase ATA command”, I am posting an updated copy of those Wiki instructions that are now down the… world wide drain!

First of all, go grab the Ubuntu v9.04 Live CD image (ubuntu-9.04-desktop-i386.iso) and burn it to a blank CD-R with your favourite application (either on Mac or PC). Update: It seems Ubuntu only supports v10.04 LTS now, as their oldest distro, so use Google to find v9.04 if your computer is more than 2 years old, otherwise v10.04 will do just fine. On the Ubuntu download page, there are also instructions on how to conver the .iso into a bootable USB drive; however, after following their Mac OS X instructions carefully, my MacBook Pro did not want to boot Ubuntu via USB so I ended up burning a CD-R. That’s 0,10 Euros wasted!

Once you successfully boot into the Ubuntu desktop, you will first need to determine the device that your SSD drive is assigned to. Find and run GParted and you should end up with a list of drives and partitions:

As you can see, in this example, the drive to be erased (the only one actually connected to the Dell Mini) is /dev/sda that has 3 partitions (EFI, Apple HFS+ and NFTS) from my current Hackintosh hybrid.

This procedure below describes how to use the hdparm command to issue a Secure Erase ATA instruction to a target storage device. When a Secure Erase is issued to an SSD drive, all of its cells will be marked as empty, restoring it to factory-default write performance. This is very different from the format command, especially for SSD technology.

DISCLAIMER: This will erase all your data, and will not be recoverable by even data recovery services.

DISCLAIMER: If you encounter kernel or firmware bugs (which are plenty with non-widely-tested features such as the ATA Secure Erase) this procedure might render the drive unusable or crash the computer it’s running on.

To successfully issue the so-called ATA Security Erase command, you need to first set a user password. This step is somehow omitted from almost all other sources which describe how to secure erase with hdparm.

The example output shown is from an Intel X25-M (34nm) 40GB SSD running the latest 02M3 firmware. It was run from an Ubuntu 9.04 32-bit (Jaunty) Live CD, booted from CD-ROM.

Start by opening Terminal in Ubuntu.

Step 1 – Make sure the drive’s security is not frozen

You will start by issuing the following command, where “X” matches your device (in my case, sda):

sudo hdparm -I /dev/X
i.e.
sudo hdparm -I /dev/sda

Typically, you should obtain the following information, at the very end of the command output:

If the command output at the end shows “frozen”, then you cannot immediately continue to the next step. It is likely that your BIOS does not allow the ATA Secure Erase command, as it typically issues a “SECURITY FREEZE” command to “freeze” the drive, before booting any operating system. In this case, you could check if your BIOS may (most likely not) have a switch to disable the security freeze.

The only way that I personally was able to reset the “frozen” state of the SSD drive was to put the system into “sleep”. Placing both my MacBook Pro and Dell Mini into “sleep” and then “waking” them (simply by closing and opening the lid after a few seconds) is a trick that seems to work, as the sudo hdparm -I /dev/sda command now issues the required and correct “not frozen” output:

WARNING: When the user password is set, the drive will be locked after next power cycle! (the drive will deny normal access until unlocked with the correct password)

For this process, any password will do as this should only be temporary. After performing the secure erase to the drive, the password will be set back to NULL. For this procedure, I used the password “Eins” like everybody else on the web:

Now you can safely proceed to the next step of actually erasing the drive.

Step 3 – Issuing the ATA Secure Erase command

Still at the Terminal, type:

sudo time hdparm --user-master u --security-erase Eins /dev/sda

Please wait white the process completes. This may take a few minutes; on my MacBook Pro and the Intel X25-M 80GB, it took about 1 minute to complete, whilst on my Dell Mini and the Intel X25-M 40GB about half-minute. It is reported that for 1TB disk it could take 3 hours or more!

After successfully erasing it, the drive’s security should automatically be reset to “disabled” (thus, no longer requiring a password for access). You have to verify this by running again the following command at the Terminal:

I remember seeing this somewhere but it seems you can issue another parameter to the hdparm command, above, for securely erasing your SSD in an “enhanced” way. According to the command manual, besides issuing the command above in Step 1:

sudo time hdparm --user-master u --security-erase Eins /dev/sda

you can replace the parameter –security-erase with –security-erase-enhanced provided that your SSD supports this (it must report “supported: enhanced erase” when you issue sudo hdparm -I /dev/sda in Step 2):

The main difference is that “Secure Erase overwrites all user data areas with binary zeroes. Enhanced Secure Erase writes pre-determined data patterns (set by the manufacturer) to all user data areas, including sectors that are no longer in use due to re-allocation” thus, offering better data-wiping. Read more here.